---
title: Signing Plugins for Third-Party Signature Verification
---


{/* 
  CONTRIBUTOR NOTE:
  ----------------
  This is a legacy document that is being deprecated.
  Please DO NOT make changes to this version.
  All updates should be directed to the new version at:
  /plugin-dev-en/0312-third-party-signature-verification
*/}

<Card title="This Documentation is Being Deprecated" icon="circle-exclamation" href="/plugin-dev-en/0312-third-party-signature-verification">
  <p>This page is being phased out as part of our documentation reorganization.</p>
  
  <p><strong>Click this card</strong> to be redirected to the updated version with the most current information.</p>
  
  <p>If you notice any discrepancies or areas needing improvement in the new documentation, please use the "Report an issue" button at the bottom of the page.</p>
</Card>

<Warning>This feature is available only in the Dify Community Edition. Third-party signature verification is not currently supported on Dify Cloud Edition.</Warning>

Third-party signature verification allows Dify administrators to safely approve the installation of plugins not listed on the Dify Marketplace without completely disabling signature verification. This supports the following scenarios for example:

* Dify administrators can add a signature to a plugin sent by the developer once it has been approved.
* Plugin developers can add a signature to their plugin and publish it along with the public key for Dify administrators who cannot disable signature verification.

Both Dify administrators and plugin developers can add a signature to a plugin using a pre-generated key pair. Additionally, administrators can configure Dify to enforce signature verification using specific public keys during plugin installation.

## Generating a Key Pair for Signing and Verification

Generate a new key pair for adding and verifying the plugin's signature with the following command:

```bash
dify signature generate -f your_key_pair
```

After running this command, two files will be generated in the current directory:

* **Private Key**: `your_key_pair.private.pem`
* **Public Key**: `your_key_pair.public.pem`

The private key is used to sign the plugin, and the public key is used to verify the plugin's signature.

<Warning>Keep the private key secure. If it is compromised, an attacker could add a valid signature to any plugin, which would compromise Dify's security.</Warning>

## Adding a Signature to the Plugin and Veriyfing It

Add a signature to your plugin by running the following command. Note that you must specify the **plugin file to sign** and the **private key**:

```bash
dify signature sign your_plugin_project.difypkg -p your_key_pair.private.pem
```

After executing the command, a new plugin file will be generated in the same directory with `signed` added to its original filename: `your_plugin_project.signed.difypkg`

You can verify that the plugin has been correctly signed using this command. Here, you need to specify the **signed plugin file** and the **public key**:

```bash
dify signature verify your_plugin_project.signed.difypkg -p your_key_pair.public.pem
```

<Info>If you omit the public key argument, verification will use the Dify Marketplace public key. In that case, signature verification will fail for any plugin file not downloaded from the Dify Marketplace.</Info>

## Enabling Third-Party Signature Verification

Dify administrators can enforce signature verification using pre-approved public keys before installing a plugin.

### Placing the Public Key

Place the **public key** corresponding to the private key used for signing in a location that the plugin daemon can access.

For example, create a `public_keys` directory under `docker/volumes/plugin_daemon` and copy the public key file there:

```bash
mkdir docker/volumes/plugin_daemon/public_keys
cp your_key_pair.public.pem docker/volumes/plugin_daemon/public_keys
```

### Environment Variable Configuration

In the `plugin_daemon` container, configure the following environment variables:

* `THIRD_PARTY_SIGNATURE_VERIFICATION_ENABLED`
  * Enables third-party signature verification.
  * Set this to `true` to enable the feature.
* `THIRD_PARTY_SIGNATURE_VERIFICATION_PUBLIC_KEYS`
  * Specifies the path(s) to the public key file(s) used for signature verification.
  * You can list multiple public key files separated by commas.

Below is an example of a Docker Compose override file (`docker-compose.override.yaml`) configuring these variables:

```yaml
services:
  plugin_daemon:
    environment:
      FORCE_VERIFYING_SIGNATURE: true
      THIRD_PARTY_SIGNATURE_VERIFICATION_ENABLED: true
      THIRD_PARTY_SIGNATURE_VERIFICATION_PUBLIC_KEYS: /app/storage/public_keys/your_key_pair.public.pem
```

<Info>Note that `docker/volumes/plugin_daemon` is mounted to `/app/storage` in the `plugin_daemon` container. Ensure that the path specified in `THIRD_PARTY_SIGNATURE_VERIFICATION_PUBLIC_KEYS` corresponds to the path inside the container.</Info>

To apply these changes, restart the Dify service:

```bash
cd docker
docker compose down
docker compose up -d
```

After restarting the service, the third-party signature verification feature will be enabled in the current Community Edition environment.

{/*
Contributing Section
DO NOT edit this section!
It will be automatically generated by the script.
*/}

---

[Edit this page](https://github.com/langgenius/dify-docs/edit/main/en/plugins/publish-plugins/signing-plugins-for-third-party-signature-verification.mdx) | [Report an issue](https://github.com/langgenius/dify-docs/issues/new?template=docs.yml)

